1get_prop(coredomain, apex_ready_prop) 2get_prop(coredomain, boot_status_prop) 3get_prop(coredomain, camera_config_prop) 4get_prop(coredomain, dalvik_config_prop_type) 5get_prop(coredomain, dalvik_runtime_prop) 6get_prop(coredomain, exported_pm_prop) 7get_prop(coredomain, ffs_config_prop) 8get_prop(coredomain, graphics_config_prop) 9get_prop(coredomain, graphics_config_writable_prop) 10get_prop(coredomain, hdmi_config_prop) 11get_prop(coredomain, init_service_status_private_prop) 12get_prop(coredomain, lmkd_config_prop) 13get_prop(coredomain, localization_prop) 14get_prop(coredomain, pm_prop) 15get_prop(coredomain, radio_control_prop) 16get_prop(coredomain, rollback_test_prop) 17get_prop(coredomain, setupwizard_prop) 18get_prop(coredomain, setupwizard_mode_prop) 19get_prop(coredomain, sqlite_log_prop) 20get_prop(coredomain, storagemanager_config_prop) 21get_prop(coredomain, surfaceflinger_color_prop) 22get_prop(coredomain, systemsound_config_prop) 23get_prop(coredomain, telephony_config_prop) 24get_prop(coredomain, usb_config_prop) 25get_prop(coredomain, usb_control_prop) 26get_prop(coredomain, userspace_reboot_config_prop) 27get_prop(coredomain, vold_config_prop) 28get_prop(coredomain, vts_status_prop) 29get_prop(coredomain, zygote_config_prop) 30get_prop(coredomain, zygote_wrap_prop) 31 32# TODO(b/170590987): remove this after cleaning up default_prop 33get_prop(coredomain, default_prop) 34 35full_treble_only(` 36neverallow { 37 coredomain 38 39 # for chowning 40 -init 41 42 # generic access to sysfs_type 43 -apexd 44 -ueventd 45 -vold 46} sysfs_leds:file *; 47') 48 49# On TREBLE devices, a limited set of files in /vendor are accessible to 50# only a few allowlisted coredomains to keep system/vendor separation. 51full_treble_only(` 52 # Limit access to /vendor/app 53 neverallow { 54 coredomain 55 -appdomain 56 -artd 57 -dex2oat 58 -dexoptanalyzer 59 -idmap 60 -init 61 -installd 62 -heapprofd 63 -postinstall_dexopt 64 -rs # spawned by appdomain, so carryover the exception above 65 -system_server 66 -traced_perf 67 } vendor_app_file:dir { open read getattr search }; 68') 69 70full_treble_only(` 71 neverallow { 72 coredomain 73 -appdomain 74 -artd 75 -dex2oat 76 -dexoptanalyzer 77 -idmap 78 -init 79 -installd 80 -heapprofd 81 userdebug_or_eng(`-profcollectd') 82 -postinstall_dexopt 83 -profman 84 -rs # spawned by appdomain, so carryover the exception above 85 userdebug_or_eng(`-simpleperf_boot') 86 -system_server 87 -traced_perf 88 -mediaserver 89 } vendor_app_file:file r_file_perms; 90') 91 92full_treble_only(` 93 # Limit access to /vendor/overlay 94 neverallow { 95 coredomain 96 -appdomain 97 -artd 98 -dex2oat 99 -dexoptanalyzer 100 -idmap 101 -init 102 -installd 103 -postinstall_dexopt 104 -rs # spawned by appdomain, so carryover the exception above 105 -system_server 106 -traced_perf 107 -app_zygote 108 -webview_zygote 109 -zygote 110 -heapprofd 111 } vendor_overlay_file:dir { getattr open read search }; 112') 113 114full_treble_only(` 115 neverallow { 116 coredomain 117 -appdomain 118 -artd 119 -dex2oat 120 -dexoptanalyzer 121 -idmap 122 -init 123 -installd 124 -postinstall_dexopt 125 -rs # spawned by appdomain, so carryover the exception above 126 -system_server 127 -traced_perf 128 -app_zygote 129 -webview_zygote 130 -zygote 131 -heapprofd 132 userdebug_or_eng(`-profcollectd') 133 userdebug_or_eng(`-simpleperf_boot') 134 } vendor_overlay_file:file open; 135') 136 137# Core domains are not permitted to use kernel interfaces which are not 138# explicitly labeled. 139# TODO(b/65643247): Apply these neverallow rules to all coredomain. 140full_treble_only(` 141 # /proc 142 neverallow { 143 coredomain 144 -init 145 -vold 146 } proc:file no_rw_file_perms; 147 148 # /sys 149 neverallow { 150 coredomain 151 -apexd 152 -init 153 -ueventd 154 is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `-vfio_handler') 155 -vold 156 } sysfs:file no_rw_file_perms; 157 158 # /dev 159 neverallow { 160 coredomain 161 -apexd 162 -fsck 163 -init 164 -ueventd 165 } device:{ blk_file file } no_rw_file_perms; 166 167 # debugfs 168 neverallow { 169 coredomain 170 no_debugfs_restriction(` 171 -dumpstate 172 -init 173 -system_server 174 ') 175 } debugfs:file no_rw_file_perms; 176 177 # tracefs 178 neverallow { 179 coredomain 180 -atrace 181 -dumpstate 182 -gpuservice 183 -init 184 -traced_perf 185 -traced_probes 186 -shell 187 -system_server 188 -traceur_app 189 userdebug_or_eng(`-profcollectd') 190 userdebug_or_eng(`-simpleperf_boot') 191 } debugfs_tracing:file no_rw_file_perms; 192 193 # inotifyfs 194 neverallow { 195 coredomain 196 -init 197 } inotify:file no_rw_file_perms; 198 199 # pstorefs 200 neverallow { 201 coredomain 202 -bootstat 203 -charger 204 -dumpstate 205 userdebug_or_eng(`-incidentd') 206 -init 207 -logd 208 -logpersist 209 -recovery_persist 210 -recovery_refresh 211 -shell 212 -system_server 213 } pstorefs:file no_rw_file_perms; 214 215 # configfs 216 neverallow { 217 coredomain 218 -init 219 -system_server 220 } configfs:file no_rw_file_perms; 221 222 # functionfs 223 neverallow { 224 coredomain 225 -adbd 226 -init 227 -mediaprovider 228 -system_server 229 } functionfs:file no_rw_file_perms; 230 231 # usbfs and binfmt_miscfs 232 neverallow { 233 coredomain 234 -init 235 }{ usbfs binfmt_miscfs }:file no_rw_file_perms; 236 237 # dmabuf heaps 238 neverallow { 239 coredomain 240 -init 241 -ueventd 242 }{ 243 dmabuf_heap_device_type 244 -dmabuf_system_heap_device 245 -dmabuf_system_secure_heap_device 246 }:chr_file no_rw_file_perms; 247') 248 249# Following /dev nodes must not be directly accessed by coredomain, but should 250# instead be wrapped by HALs. 251neverallow coredomain { 252 iio_device 253 radio_device 254}:chr_file { open read append write ioctl }; 255 256# TODO(b/120243891): HAL permission to tee_device is included into coredomain 257# on non-Treble devices. 258full_treble_only(` 259 neverallow coredomain tee_device:chr_file { open read append write ioctl }; 260') 261